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-- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely, 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 

- Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

!)□ Responsive to communication(s) filed on . 



2a)D This action is FINAL. 2b)S This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1 935 CD. 1 1 , 453 O.G. 213. 
Disposition of Claims 

4) E3 Claim(s) 1-19 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 1-19 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) S The specification is objected to by the Examiner. 

10) ^ The drawing(s) filed on 22 December 1999 is/are: a)S accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 

1 1) D The proposed drawing correction filed on is: a)D approved b)D disapproved by the Examiner. 

If approved, corrected drawings are required in reply to this Office action. 

12) Q The oath or declaration is objected to by the Examiner. 
Priority under 35 U.S.C. §§119 and 120 

13) 13 Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 

aMAW b)D Some*c)D None of: 

1 Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application No. . 

3. Q Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received, 

1 4) D Acknowledgment is made of a claim for domestic priority under 35 U.S.C. § 1 1 9(e) (to a provisional application). 

a) □ The translation of the foreign language provisional application has been received. 

15) D Acknowledgment is made of a claim for domestic priority under 35 U.S.C. §§ 120 and/or 121. 

Attachment! s) 

1 ) K Notice of References Cited (PTO-892) 4) □ Interview Summary (PTO-41 3) Paper No(s). . 

2) □ Notice of Drafts person's Patent Drawing Review (PTO-948) 5) □ Notice of Informal Patent Application (PTO-152) 

3) Q Information Disclosure Statement(s) (PTO-1449) Paper No(s) . 6) Q Other: 
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DETAILED ACTION 



Specification 

1. The disclosure is objected to because of the following informalities: pg. 17, line 3 1 
"initialisation" should be "initialization". 

Appropriate correction is required. 

Claim Objections 

2. Claiml is objected to because of the following informalities: pg. 17, line 31 "authorised" 
should be "authorized". Appropriate correction is required. 



3. The following is a quotation of the appropriate paragraphs of 35 U.S. C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the United 
States before the invention thereof by the applicant for patent, or on an international application by another who 
has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this title before the invention 
thereof by the applicant for patent. 

The changes made to 35 U.S. C. 102(e) by the American Inventors Protection Act of 1999 
(AIPA) do not apply to the examination of this application as the application being examined 
was not (1) filed on or after November 29, 2000, or (2) voluntarily published under 35 U.S.C. 
122(b). Therefore, this application is examined under 35 U.S.C. 102(e) prior to the amendment 
by the AIPA (pre-AIPA 35 U.S.C. 102(e)). 



Claim Rejections - 35 USC §102 
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4. Claims 1, 3, 4, 8, 9, 10, 11, 13, 15, 16, 17, 18, and 19 are rejected under 35 U.S.C. 102(e) 
as being unpatentable by US Patent No. 5,708,780 to Levergood et al. 

Regarding claim 1, Levergood et al. teaches a method of operating an authenticating 
server system for authenticating users at client terminals connected via a data communications 
network (column 3, lines 8-9), to control access to a document stored on a resource server, said 
method comprising performing the following steps in said server system: storing authentication 
details of authorized users (column 6, lines 61-63); receiving authentication data for a user from 
a client terminal of the user, and validating said authentication data by reference to said stored 
authentication details (column 3, lines 25-26 and column 6, lines 58-60); issuing an identifier for 
the user's terminal to said terminal for storage thereon (column 3, lines 17-20), the identifier 
being transmitted in such a manner that the identifier is retransmitted by said user terminal with 
document requests directed at said resource server (column 3, lines 12-17); storing status data 
indicating said identifier to be a validated identifier of a terminal of a currently authenticated 
user (column 3, lines 39-40), in response to said authentication step; and enabling said resource 
server to validate a request for said document from the user's terminal, which request includes 
said identifier, by checking said status data on receipt of said document request (column 3, lines 
44-47). 

Referring to claim 3, Levergood et al. teaches a method according to claim 1, wherein 
said authentication step comprises receiving said identifier from said user terminal with said 
authentication data (column 3, lines 44-47). 
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Regarding claim 4, Levergood et al teaches a method according to claim 3, wherein said 
authentication step comprises issuing a new identifier to said user terminal if said authentication 
data is invalid (column 5, lines 46-49). 

Referring to claim 8, Levergood et al. teaches a method according to claim 1, comprising 
authenticating said user for access to a plurality of Web servers located in the same Internet 
domain (column 3, lines 66-67); and enabling each of said Web servers to validate document 
requests from the user's terminal, which requests include said identifier (column 3, lines 44-45), 
by checking said status data on receipt of a document request (column 6, lines 58-60). 

Regarding claim 9, Levergood et al. teaches a method of operating an authenticating 
server system for authenticating users at client terminals connected via a data communications 
network (column 3, lines 8-9), to control access to a document stored on a resource server, said 
method comprising performing the following steps in said server system: storing authentication 
details of authorized users (column 6, lines 61-63); performing remote authentication of a user 
by reference to said stored authentication details (column 3, lines 25-26 and column 6, lines 58- 
60) and during said remote authentication step generating status data, distinguishing said user 
from other users which are not currently authenticated (column 6, lines 61-63), and a secret 
encryption key shared with said user (column 5, lines 61-65); storing said status data in storage 
means accessible to said plurality of resource servers to check an authentication status of said 
user by using an identifier for the user's terminal received in a service request (column 3, lines 
13-16); and storing said shared secret key in a data store accessible by at least one of said 
resource servers for use during communications with said user (column 5, lines 61-65). 
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Referring to claim 10, Levergood et al. teaches a method according to claim 9, wherein 
said authenticating step comprises issuing a challenge to the user's terminal, receiving a response 
to said challenge, and verifying said response (column 6, lines 45-49 and 58-60). 

Referring to claim 11, Levergood et aL teaches a method according to claim 9, further 
comprising updating said status data for an authenticated user following said storing step 
(column 7, lines 3 1-34 and 63-64). 

Regarding claim 13, Levergood et al. teaches a method according to claim 11, wherein 
said updating step is performed in response to access by one of said resource servers to said 
status data (column 8, lines 52-55). 

Regarding claim 15, Levergood et al. teaches a method according to claim 9, wherein 
said identifier is an IP address of the user's terminal (column 1, lines 39-41). 

Referring to claim 16, Levergood et al. teaches a method according to claim 9, wherein 
said authentication step comprises issuing said identifier to the user's terminal (column 3, lines 
30-32). 

Regarding claim 17, Levergood et al. teaches a method according to claim 9, wherein 
said status data is stored in a data store which said resource servers are each able to access 
(column 6, lines 61-63 and column 7, lines 31-34). 

Referring to claim 18, Levergood et al. teaches a method according to claim 9, wherein 
said authentication details include data identifying the rights of access of individual users to one 
or more of said application servers (column 3, lines 50-52). 

Regarding claim 19, Levergood et al. teaches an authenticating server system adapted to 
perform the method of claim 1 (column 5, lines 48-49 and column 6, lines 58-60). 
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Claim Rejections - 35 USC § 103 



5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

6. Claim 2 is rejected under 35 U.S.C. 103(a) as being unpatentable over US. Patent No. 
5,708,780 to Levergood et al. in view of Kirsch. 

Regarding claim 2, Levergood et al. teaches a method according to claim 1, wherein said 
identifier is transmitted to said user terminal (column 3, lines 30-32). 

Levergood et al. does not teach the transmission of the identifier in a cookie. Kirsch 

teaches that said identifier is transmitted in a cookie to said user terminal (column 3, lines 14-16 

i 

and column 13, lines 11-13). Therefore, it would have been obvious to one having ordinary skill 
in the art at the time the invention was made to further modify the internet server access control 
and monitoring system of Levergood et al. by transmitting the identifier in a cookie because it is 
a more secure manner of storage and transport of identification data. 

7. Claims 5, 6, 7, 12, and 14 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
US Patent No. 5,708,780 to Levergood et al. in view of See et al. 

Regarding claim 5, Levergood et al. teaches of an identifier (column 1, lines 39-41), and 
the reception of an invalid authenticator from said user terminal (column 7, lines 13-14). 

Levergood et al. does not teach that the identifier contains the number of times an invalid 
authenticator was received. See et al. teaches said identifier comprises data indicating the 
number of times an invalid authenticator has been received from said user terminal (column 3, 
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lines 23-25). Therefore, it would have been obvious to one having ordinary skill in the art at the 
time the invention was made to further modify the internet server access control and monitoring 
system of Levergood et al. by having the identifier contain the number of times an invalid 
authenticator was received because a user can be denied access if they submit multiple invalid 
authenticators thus providing the system with added security and access control. 

Referring to claim 6, Levergood et al. teaches of an identifier (column 1, lines 39-41), 
and the reception of an invalid authenticator from said user terminal (column 7, lines 13-14). 

Levergood et al. does not teach that the system will not issue identifiers to the user if an 
identifier received from that user shows that a predetermined number of invalid authenticators 
have been received from the user. See et al. teaches said method comprising issuing no further 
identifier to said user terminal if an identifier received from said user terminal indicates that a 
predetermined number of invalid authenticators have been received from said user terminal 
(column 6, lines 23-26). Therefore, it would have been obvious to one having ordinary skill in 
the art at the time the invention was made to further modify the internet server access control and 
monitoring system of Levergood et al. by not issuing identifiers to the user if an identifier 
received from that user shows that a predetermined number of invalid authenticators have been 
received from the user because this provides the system with added security and access control 
by not allowing unauthorized users access to server information. 

Regarding claim 7, Levergood et al. teaches of an identifier (column 1, lines 39-41). 

Levergood et al. does not teach of timing out of an identifier. See et al. teaches of timing 
out of said identifier of a terminal of a currently authenticated user if no document request is 
received from said user terminal for a predetermined period (column 7, lines 32-36). Therefore, 
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it would have been obvious to one having ordinary skill in the art at the time the invention was 
made to further modify the internet server access control and monitoring system of Levergood et 
al. by timing out an identifier because if a user were to forget to logout of a session another could 
use that workstation to access information that they are not authorized to view and the timing out 
of the identifier lessens the chance of this happening therefore increasing the security of the 
system. 

Referring to claim 12, Levergood et al. teaches of an updating step (column 7, lines 31-34 
and 63-64). 

Levergood et al. does not teach of the updating step being performed because of a time- 
out. See et al. teaches said updating step is performed in response to a time-out associated with 
said status data (column 7, lines 32-36 and lines 37-39). Therefore, it would have been obvious 
to one having ordinary skill in the art at the time the invention was made to further modify the 
internet server access control and monitoring system of Levergood et al. by performing the 
updating step because of a time-out because this will give the system up-to-date information on 
the state of the workstation. 

Referring to claim 14, Levergood et al. teaches a method according to claim 12, wherein 
said updating step is performed in response to a request by the user's terminal (column 4, lines 1- 
4). 

Conclusion 

8. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 
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The following patents are cited to further show the state of the art with respect to server 
access control in general: 

US Pat No 5,506,961 to Carlson et al. 
US Pat No 6,377,994 to Ault et al. 
US Pat No 5,812,776 to Gifford. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to April L Baugh whose telephone number is 703-305-53 17. The 
examiner can normally be reached on Monday-Friday 7:00am-3 :30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R Sheikh can be reached on 703-305-9648. The fax phone numbers for the 
organization where this application or proceeding is assigned are 703-305-3719 for regular 
communications and 703-305-3719 for After Final communications. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is 703-305-3900. 

ALB 

August 8, 2002 




DAVID WfLEY 
PRIMARY EXAMINER 



